In yet another blow to Google Analytics in Europe, the Italian data protection authority found that a local web publisher’s use of it violated GDPR rules. As a result, the popular analytics tool has been declared illegal in Italy after being banned in France and Austria earlier this year.
After fielding some complaints, the Italian SA began a complicated fact-finding process in close coordination with other EU data protection agencies. The Italian SA found that website owners using Google Analytics recorded user interactions, visited pages, and offered services via cookies. The data collected were the IP address, browser, operating system, screen resolution, language, date, and time of page viewing. This data was then sent to the US. The Italian SA determined that the processing was unconstitutional since an IP address is personal data and would not be anonymized even if abbreviated, given Google’s ability to augment such data with additional information.
Furthermore, the Italian SA decided that the measures adopted by Google to supplement the data transfer did not provide an adequate level of protection for users’ personal data as per the guidance provided by the European Data Protection Board. This was pretty much the same conclusion reached by the DSB (Austrian Data Protection Authority) and the CNIL (French Data Protection Agency), which set off this chain reaction.
It is important to note that Google intends to retire Universal Analytics in favor of Google Analytics 4 next year. GA4 is machine-learning driven and privacy-centric by design, becoming Google’s measurement solution in a world where cookies are becoming obsolete, and privacy regulations are becoming increasingly stringent. However, it is unclear whether this new analytics tool will tick all the boxes needed to meet the E.U. requirements.